You are here

Getting Your Drupal Website GDPR Compliant

As the GDPR regulation comes into effect, businesses are scrambling to take measures to become compliant with the regulation. If you are maintaining a Drupal website and would like to know how easily you can make your website a GDPR compliant one, read on.

This article focuses on the contributed modules available in Drupal.org, which are aimed at helping website owners become compliant with the new rule.

EU Cookie Compliance

This was released after the EU Directive came into effect on May 2012. However, this is useful under the GDPR regulation too.

With the new GDPR regulation, you should inform your visitors the cookies you are using on your website and give an option for them to opt-out from the same. This module provides

A cookie banner which can be shown to visitors

Option to set cookies using JavaScript. Option to set cookie expiration

Ability to customize the banner - position, color, role

Option to restrict the banner to EU countries. However, this requires additional modules to be configured

What this module doesn’t cover? - Ability to opt-out from or unset cookies

With the new GDPR law, it is mandatory for the visitors to be able to withdraw their consent easily. This means that, if they have accepted the cookies, then using a similar way, they should be able to undo the same. This module doesn’t provide an option for the same.

If your website does not collect personal information of visitors and only uses needed cookies, you can use this module to display the cookie banner to the visitors. Configuring the module is just a matter of a couple of minutes.

General Data Protection Regulation

Checklist

Site admin can review the checklist manually and ensure that necessary measures are taken to comply with GDPR. The checklist items include whether there is a privacy policy page, modules enabled are using relevant information, a user has the option to cancel his/her account etc.

Drush command

The ‘SQL Dump settings’ module provides a Drush command to obscure the fields which contain sensitive personal data. The aim is to prevent developers from accessing sensitive information of users.

GDPR consent

User agreements can be set up and tracked using this module. This is only available for Drupal 8.

GDPR fields

Fields that contain sensitive personal data can be marked as GDPR fields. Currently only marking is supported and more development is in progress. This is also available only for Drupal 8.

The Drupal.org page for this module explains that more development is on the way. It allows the user to initiate the “forget me” action by site administrators, GDPR views data export to track data flowing out from Drupal etc are added as future tasks and development progress looks promising.
Once all those features are deployed, you might only need this single module.

Scrambler

By configuring what data to scramble, you can prevent exposing sensitive information from your database. It also contains the Scrambler Field submodule which allows it to administer which scramble methods to apply per field. The default scrambling methods available are emptying values, shuffle characters and words. You can also define your own custom sanitizing methods.

GDPR Consent

This modules allows you to collect data processing consent from logged in users. Administrator can view the consent history. The module is still under active development and has some known issues to start with.

Mask User Data

This module will mask all the current data in your database related to the users. You can easily define a map with the fields to map and the Faker function to use for the mapping. You can either use a Drush command or wait for the cron to run to perform the function.

GDPR Tag Manager

The module implements Google Tag Manager and IP Country Code lookup. GTM dataLayer variable is set with continent code value which allows you to trigger or disable tracking scripts to help make the site GDPR compliant.

This module also provides a cookie consent popup with an option to disable pop-ups for North American countries.

Kindly note that just enabling any one of the modules will not make your website GDPR compliant. The above modules only satisfies certain conditions and you might still need to take care of other aspects of the regulation. If you would like development assistance with the GDPR compliance of your site, get in touch with us.